Fixed issues in JWT Authenticator

4.x.x
mharindu 9 years ago
parent b77f5358e8
commit ace6c2dbfc

@ -47,10 +47,10 @@ import java.util.StringTokenizer;
*/ */
public class JWTAuthenticator implements WebappAuthenticator { public class JWTAuthenticator implements WebappAuthenticator {
private static final Log log = LogFactory.getLog(JWTAuthenticator.class); private static final Log log = LogFactory.getLog(JWTAuthenticator.class);
public static final String SIGNED_JWT_AUTH_USERNAME = "Username"; public static final String SIGNED_JWT_AUTH_USERNAME = "http://wso2.org/claims/enduser";
private static final String JWT_AUTHENTICATOR = "JWT"; private static final String JWT_AUTHENTICATOR = "JWT";
private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion"; private static final String JWT_ASSERTION_HEADER = "X-JWT-Assertion";
@Override @Override
public void init() { public void init() {
@ -59,46 +59,45 @@ public class JWTAuthenticator implements WebappAuthenticator {
@Override @Override
public boolean canHandle(Request request) { public boolean canHandle(Request request) {
String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER); String authorizationHeader = request.getHeader(JWTAuthenticator.JWT_ASSERTION_HEADER);
if((authorizationHeader != null) && !authorizationHeader.isEmpty()){ if ((authorizationHeader != null) && !authorizationHeader.isEmpty()) {
return true; return true;
} }
return false; return false;
} }
@Override @Override
public AuthenticationInfo authenticate(Request request, Response response) { public AuthenticationInfo authenticate(Request request, Response response) {
String requestUri = request.getRequestURI(); String requestUri = request.getRequestURI();
AuthenticationInfo authenticationInfo = new AuthenticationInfo(); AuthenticationInfo authenticationInfo = new AuthenticationInfo();
if (requestUri == null || "".equals(requestUri)) { if (requestUri == null || "".equals(requestUri)) {
authenticationInfo.setStatus(Status.CONTINUE);
}
StringTokenizer tokenizer = new StringTokenizer(requestUri, "/");
String context = tokenizer.nextToken();
if (context == null || "".equals(context)) {
authenticationInfo.setStatus(Status.CONTINUE); authenticationInfo.setStatus(Status.CONTINUE);
} }
StringTokenizer tokenizer = new StringTokenizer(requestUri, "/");
//Get the filesystem keystore default primary certificate String context = tokenizer.nextToken();
KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID); if (context == null || "".equals(context)) {
try { authenticationInfo.setStatus(Status.CONTINUE);
keyStoreManager.getDefaultPrimaryCertificate(); }
String authorizationHeader = request.getHeader(HTTPConstants.HEADER_AUTHORIZATION);
String headerData = decodeAuthorizationHeader(authorizationHeader); //Get the filesystem keystore default primary certificate
JWSVerifier verifier = KeyStoreManager keyStoreManager = KeyStoreManager.getInstance(MultitenantConstants.SUPER_TENANT_ID);
new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey()); try {
SignedJWT jwsObject = SignedJWT.parse(headerData); keyStoreManager.getDefaultPrimaryCertificate();
if (jwsObject.verify(verifier)) { String authorizationHeader = request.getHeader(JWT_ASSERTION_HEADER);
String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME); JWSVerifier verifier =
String tenantDomain = MultitenantUtils.getTenantDomain(username); new RSASSAVerifier((RSAPublicKey) keyStoreManager.getDefaultPublicKey());
username = MultitenantUtils.getTenantAwareUsername(username); SignedJWT jwsObject = SignedJWT.parse(authorizationHeader);
TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService(). if (jwsObject.verify(verifier)) {
String username = jwsObject.getJWTClaimsSet().getStringClaim(SIGNED_JWT_AUTH_USERNAME);
String tenantDomain = MultitenantUtils.getTenantDomain(username);
username = MultitenantUtils.getTenantAwareUsername(username);
TenantManager tenantManager = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
getTenantManager(); getTenantManager();
int tenantId = tenantManager.getTenantId(tenantDomain); int tenantId = tenantManager.getTenantId(tenantDomain);
if (tenantId == -1) { if (tenantId == -1) {
log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " + log.error("tenantDomain is not valid. username : " + username + ", tenantDomain " +
": " + tenantDomain); ": " + tenantDomain);
} else { } else {
UserStoreManager userStore = AuthenticatorFrameworkDataHolder.getInstance().getRealmService(). UserStoreManager userStore = AuthenticatorFrameworkDataHolder.getInstance().getRealmService().
getTenantUserRealm(tenantId).getUserStoreManager(); getTenantUserRealm(tenantId).getUserStoreManager();
if (userStore.isExistingUser(username)) { if (userStore.isExistingUser(username)) {
@ -108,41 +107,43 @@ public class JWTAuthenticator implements WebappAuthenticator {
authenticationInfo.setStatus(Status.CONTINUE); authenticationInfo.setStatus(Status.CONTINUE);
} }
} }
} } else {
} catch (UserStoreException e) { authenticationInfo.setStatus(Status.FAILURE);
log.error("Error occurred while obtaining the user.", e); }
} catch (ParseException e) { } catch (UserStoreException e) {
log.error("Error occurred while parsing the JWT header.", e); log.error("Error occurred while obtaining the user.", e);
} catch (JOSEException e) { } catch (ParseException e) {
log.error("Error occurred while verifying the JWT header.", e); log.error("Error occurred while parsing the JWT header.", e);
} catch (Exception e) { } catch (JOSEException e) {
log.error("Error occurred while verifying the JWT header.", e); log.error("Error occurred while verifying the JWT header.", e);
} } catch (Exception e) {
return authenticationInfo; log.error("Error occurred while verifying the JWT header.", e);
} }
return authenticationInfo;
private String decodeAuthorizationHeader(String authorizationHeader) { }
if(authorizationHeader == null) { private String decodeAuthorizationHeader(String authorizationHeader) {
return null;
} if (authorizationHeader == null) {
return null;
String[] splitValues = authorizationHeader.trim().split(" "); }
byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim());
if (decodedBytes != null) { String[] splitValues = authorizationHeader.trim().split(" ");
return new String(decodedBytes); byte[] decodedBytes = Base64Utils.decode(splitValues[1].trim());
} else { if (decodedBytes != null) {
if (log.isDebugEnabled()) { return new String(decodedBytes);
log.debug("Error decoding authorization header."); } else {
} if (log.isDebugEnabled()) {
return null; log.debug("Error decoding authorization header.");
} }
} return null;
}
@Override }
public String getName() {
return JWTAuthenticator.JWT_AUTHENTICATOR; @Override
} public String getName() {
return JWTAuthenticator.JWT_AUTHENTICATOR;
}
@Override @Override
public void setProperties(Properties properties) { public void setProperties(Properties properties) {

Loading…
Cancel
Save